helm repo add kyverno https://kyverno.github.io/kyverno/
helm repo update
helm install kyverno kyverno/kyverno -n kyverno --create-namespace \
--set admissionController.replicas=3 \
--set backgroundController.replicas=2 \
--set cleanupController.replicas=2 \
--set reportsController.replicas=2
Shell
복사
kubectl -n kyverno get pods
Shell
복사
kubectl create ns prod
kubectl create ns beta
Shell
복사
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-latest-tag
annotations:
policies.kyverno.io/title: Restrict Latest Tag
policies.kyverno.io/category: Pod Security
policies.kyverno.io/severity: high
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
This policy restricts the use of the 'latest' tag in the 'prod' namespace.
spec:
validationFailureAction: enforce
background: true
rules:
- name: disallow-latest-tag-in-prod
match:
any:
- resources:
kinds:
- Pod
namespaces:
- prod
validate:
message: "Using 'latest' tag is not allowed in 'prod' namespace."
pattern:
spec:
containers:
- image: "!*:latest"
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: enforce-labels
annotations:
policies.kyverno.io/title: Enforce Labels
policies.kyverno.io/category: Pod Security
policies.kyverno.io/severity: high
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
This policy enforces specific labels in 'prod' and 'beta' namespaces.
spec:
validationFailureAction: enforce
background: true
rules:
- name: require-prod-label
match:
any:
- resources:
kinds:
- Pod
namespaces:
- prod
validate:
message: "Pods in 'prod' namespace must have label 'cloudhrdk.com/env: prod'."
pattern:
metadata:
labels:
cloudhrdk.com/env: "prod"
- name: require-beta-label
match:
any:
- resources:
kinds:
- Pod
namespaces:
- beta
validate:
message: "Pods in 'beta' namespace must have label 'cloudhrdk.com/env: beta'."
pattern:
metadata:
labels:
cloudhrdk.com/env: "beta"
YAML
복사
kubectl apply -f kyverno.yaml
Shell
복사